On Monday afternoon, there was a certain kind of silence on cryptocurrency Twitter—the kind that typically precedes the loud part. Google’s researchers recently published two papers, one of their own and one from a small startup called Oratomic. While the math is truly difficult for anyone who hasn’t worked on lattice problems for ten years, the lesson is not.
The cost of the resources needed to crack some of the most significant cryptography systems has recently decreased. About ten times less expensive. Additionally, Google casually included a new date in its blog post: 2029. That’s the new frontier for post-quantum cryptography. For three years.
| Topic Information | Details |
|---|---|
| Subject | Post-quantum cryptography threat to Bitcoin |
| Source of Warning | Google Quantum AI research team |
| Migration Deadline Proposed | 2029 |
| Algorithm in Question | Shor’s algorithm (1994) |
| Coins Potentially at Risk | Over 1 million BTC held in early addresses |
| Key Voices | Justin Drake (co-signer), Adam Back (Blockstream) |
| Other Affected Networks | Ethereum, with its post-quantum roadmap underway |
| Resource Reduction Claimed | Roughly 10x fewer qubits than previously estimated |
That timeline is like a stone in a still pond for Bitcoin. For the entirety of its existence, the network has operated under the cozy presumption that quantum computing would be a problem for someone else at some point in the future—ideally when everyone reading this is comfortably retired. For years, Adam Back, a well-known figure in Bitcoin circles for reasons dating back to Hashcash, has been evaluated for quantum risk. He stated last year that he didn’t anticipate a serious attack for decades, but he did recommend some readiness work over the next five years. His window is effectively, and not gently, shrunk by the Google paper.
The loud version of this story is incorrect, so it’s important to be clear about what’s truly at stake. Back was quick to note that the network, Bitcoin, does not employ encryption. Your transactions are not being intercepted while they are in transit.
A sufficiently powerful quantum computer using Shor’s algorithm could, under specific circumstances, derive a private key from a public key, posing a more limited and peculiar threat. Additionally, your coins belong to the person who obtains your private key. This system does not have an appeals court.
This is where the story becomes awkward because some addresses are more visible than others. Public keys are directly exposed by older Bitcoin addresses, including those thought to be owned by Satoshi Nakamoto. More than a million bitcoins are stored in those wallets. When you add that up at current prices, the math becomes morbidly interesting, according to a friend of mine who works in security. Tens of billions of dollars were in plain sight, safeguarded by a presumption that might not have lasted as long as anyone would have liked to acknowledge. Relatively speaking, newer addresses are safer. The public key is visible for a short period of time after a transaction is broadcast, typically ten minutes. Theoretically, a fast enough quantum computer could take advantage of that gap.
There isn’t a computer like that. Not right now. One of the researchers who co-signed the Google paper, Justin Drake, succinctly summed up the implication by pointing out that a superconducting quantum machine similar to the one Google is currently developing could crack keys in a matter of minutes. In that sentence, the “could” is doing a lot of work. What counts, though, is the trajectory.
The rapid movement of Bitcoin is more difficult to envision. The network’s most recent major internal conflict, which lasted for two years and left scars, was over something as relatively straightforward as block size. To its credit, a post-quantum roadmap has already been released by Ethereum. The future of Bitcoin is less clear. As all of this is happening, there’s a sense that the community has the technical know-how to solve the problem, but not necessarily the temperament to agree on how. When attempting to retrofit a global financial system without betraying confidence, three years is not long. As of Monday, the clock is officially operational.